Audit committees recognize IT risks should be a focus

90% believed that IT oversight deserved more time at audit committee meetings. By constrast, 80% of committee members were satisfied with audit committee oversight of management judgments and estimates and 60% felt that committees were spending suffi­cient time on these issues.

Good to see audit committees are looking into this area with greater scrutiny. IT is often an area where firms of all sizes could benefit from increased focus and constantly thinking of ways to improve their controls and processes.

But what about the 20% that is satisfied with audit committee oversight of management judgments and estimates, but do not believe suffi­cient time is being spent on the issue? How can you feel an area needs more time and yet be satisfied with the oversight? This is why looking at surveys is fun.

“The ACI survey findings demon­strate a huge gap between the impor­tance that audit committees place on IT risk and how much time they spend focused on it during their already busy meetings,” Smith said. “Since audit committees generally have only basic IT experience, there may be a reluc­tance to invite chief infor­mation officers and chief technology officers to their meetings, in part, because there is a lack of common vocabulary.”

Audit committees need to have at least one member who has a high level of knowledge in IT as it relates to financial reporting. There is no excuse for lacking someone with a good grasp on the IT risks the organi­zation faces. And CIOs and CTOs aren’t enough — CFOs need to have a more than basic under­standing, and even lower down in the accounting department.

I’m really pleased that the CICA has been so proactive towards training CAs on this topic. IT is one of the six topics covered in the profes­sional exam process. (The others are audit/assurance, perfor­mance measurement, tax, finance, and organi­za­tional effec­tiveness, control and risk management.) Clearly there is some overlap between the last compe­tency and IT.

An in-depth discussion of the six CA compe­tencies is published by the Institute and available here (pdf).